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ABSTRACT 


This  report  is  an  evaluation  of  emironmental  control 
system  reliability  data  supplied  by  an  Associ^ate  Contractor 
and  subcontractors  for  Air  Force  Minuteman  Wing  1.  The 
data  submitted  by  American  Air  Filter  Co*  are  found  to  be 
a  fair  estimate  of  Mean  Time  Between  Failures  (MTBF), 
although  modifying  factors  were  not  always  applied.  The 
data  supplied  by  Holladay  and  Westcott  were  found  to  be 
unrealistic«  mainly  because  not  all  sources  of  data  were 
considered* 

Recommendations  for  system  upgrading  are  made  by 
STL  for  future  Wings  of  the  Minuteman  Program*  These 
recommendations  include  such  things  as  overdesign  allow¬ 
ances,  redundancy,  use  of  best  equipment,  complete  failure 
reporting,  and  use  of  modifying  factors  for  correct  deter¬ 
mination  of  MTBF. 
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I.  PURPOSE 


This  report  presents  an  STL  reliability  evaluation  of 
the  American  Air  Filter  (AAF)  report,  "Reliability  Report, 
Environmental  Control  Systems  WS  133A  Technical  Facilities 
AF  04(647)-689/'  dated  1  November  1961,  and  a  similar  AAF 
report  dated  20  April  1962.  The  evaluation  also  covers  the  Holladay 
and  Westcott  "WS  133A  Technical  Facilities  Environmental 
ControlSystcm  Study  Final  Report,"  dated21May  1962.  Analyses 
submitted  under  the  AAF  report  dated  November  1961,  hereinafter 
referred  to  as  Reference  1,  are  based  upon  design  parameters 
and  reliability  data  established  on  or  before  19  September  1961. 
The  April  report  is  based  upon  systems  data  updated  to  6  April  1962. 
No  evaluation  of  Engineering  Change  Proposal  (ECP)  or  other 
change  action  put  into  effect  subsequent  to  that  date  is  attempted. 
The  Holladay  and  Westcott  report,  hereinafter  referred  to  as 
Reference  2,  is  an  evaluation  of  Reference  1. 

A  secondary  purpose  of  this  report  is  to  present  the  position  of 
the  STL  Reliability  Staff.  This  position  is  based  on  evaluation 
of  the  major  systems,  subsystems,  and  components  of  the 
environmental  control  system  of  Minuteman  Wing  I, 
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II.  INTRODUCTION 


Air  Force  Minuteman  Wing  I  operation  requires  that  each  of 
the  three  major  types  of  ground  support  installation  control  functions  be 
equipped  with  environmental  control.  Thus,  the  primary  function  of  the 
AAF- supplied  environmental  control  system  equipment  is  to  maintain  and 
control  the  environment  of  the  Launch  Control  Facility  (LCF)  Launch 
Control  Center  (LCC),  the  LCF  Strategic  Remote  Control  Center  (SRCC), 
and  the  Launch  Facility  (LF).  This  function  includes  temperature  and  air- 
conditioning  control  for  both  electronic  systems  equipment  and  personnel. 
Air  purification  is  a  requirement  for  both  normal  and  emergency  operation. 
Emergency  operation  of  the  systems  is  accomplished  by  automatic  switching 
from  the  normal  mode  under  conditions  of  power  failure  or  other  emergency 
conditions.  Diesel  generators  or  batteries  provide  a  power  source  under 
these  conditions  through  automatic  switching  devices.  The  Wing  I  complex 
includes  150  installations  of  the  Launch  Facility  type,  13  of  the  Launch 
Control  Center  type,  and  2  of  the  Strategic  Remote  Control  Center  type. 

Figure  1  is  a  cutaway  view  of  a  typical  Launch  Facility.  The  environ¬ 
mental  control  equipment  serving  the  Launch  Facility  provider  conditioned 
air  at  closely  controlled  humidity  and  temperature  levels  to  the  installed 
electronic  equipment  packages.  Cooling  air  is  also  provided  to  the  general 
equipment  area,  and  supplementary  heated  and  controlled  air  is  ducted  into 
the  launch  tube.  Extremely  complex  control  equipment  is  not  required  to 
enable  the  air  -  conditioning  system  to  provide  close  temperature  and  humid- 
itv  control  m  the  launcher.  This  is  because  the  launcher  is  totally  enclosed 
and  has  no  attending  personnel.  The  control  system  for  the  launch  tube 
beater  is  relatively  simple,  since  the  launch  tube  has  a  nearly  constant 
heating  load. 

Figure  la  illustrates  the  environmental  control  system  arrangement 
within  the  Launcher  and  the  Launch  Support  Building. 

Figure  2  is  a  cutaway  view  of  a  typical  Launch  Control  Center.  The 
location  of  the  environmental  control  system  equipment  is  shown  in 
Figure  2a.  The  environmental  control  equipment  utilized  in  this  installation 
is  required  not  only  for  closely  controlling  the  temperature  and  the  humidity 
of  the  air  supplied  to  the  electronic  equipment  in  the  LCC,  but  also  to 
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Figure  L  Typical  Minuteman  Launcher 
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Figure  la.  Launch  Facility  Environmental  Control  System 
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provide  suitable  environment  for  the  occupants.  A  battery  compartment  is 
also  ventilated.  The  main  components  of  this  system,  the  packaged  brine 
chiller  and  the  air- conditioner  package,  are  located  above  ground  in  the 
support  building,  and  conditioned  air  is  ducted  down  into  the  control  center 
as  schematically  indicated  in  Figure  2b. 

The  SRCC  type  of  LCF  serves  the  same  purpose  remotely,  as  the  LCC 
mentioned  above.  The  equipment  is  also  very  similar,  with  the  exception  of 
the  requirement  for  two  air  conditioners  and  two  brine  chillers,  which  pro¬ 
vide  additional  conditioned  air  capability.  The  double  air- conditioner, 
brine  chiller  arrangement  requires  an  additional  sequence- starting  aux¬ 
iliary  panel  in  the  support  building  to  provide  sequence  starting  of  the 
second  units  and  to  provide  instrument  air  pressure  to  the  control  center 
from  whichever  air- conditioner  unit  is  operating.  A  cumulator  system  is 
added  to  provide  a  delay  between  the  starting  of  the  two  brine  chillers. 
Equipment  locations  are  illustrated  in  Figure  3. 

Much  of  the  equipment  used  is  identical  for  all  three  types  of  facility. 
Packaged  brine  chillers  in  the  LF  and  LCF  are  identical;  packaged  air- 
conditioners  are  identical.  Alarm  systems  and  use  of  filters  are  very 
similar.  Most  of  the  smaller  components  are  identical.  And,  as  noted 
above,  the  two  types  of  LCF  utilize  identical  components,  with  the  excep¬ 
tion  of  the  sequencing  arrangement.  From  the  reliability  standpoint,  use 
of  identical  components  is  good  not  only  because  of  inherent  simplification, 
but  because  failures  in  one  area  may  well  be  applicable  by  cause  or  remedy 
to  another  area.  It  is  also  very  desirable  from  a  logistics  viewpoint. 

Table  1  is  a  subsystem  breakdown  of  the  systems  involved  in  the  Minuterian 
environmental  control  system  installations. 
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Figure  2b.  Conditioned  Air  Flow  in  Launch  Control  Center 
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Table  1.  Environmental  Control  System  Facilities 
and  Subsystems 

Facility  and  Subsystem  Quantity 


LCF(SRCC)  Normal  2 

A.  Air  Handling  -  Support  Building  2 

B.  Packaged  Brine  Chiller  1 

C.  Air  Handling  (LCF-SRCC)  (LCF-LCC)  1 

D.  Normal  Operating  Emergency  Water  Storage  1 

E.  Exhaust  Air  System  1 

F.  Control  Air  Supply  1 

LCF(LCC)  Normal 

A.  Air  Handling  -  Supp^ort  Building  1 

B.  Packaged  Brine  Chiller  1 

C.  Air  Handling  (LCF-SRCC)  (LCF^LCC)  1 

D.  Normal  Operating  Emergency  Water  Storage  1 

E.  Exhaust  Air  System  1 

F.  Control  Air  Supply  1 

LF  Normal 

B.  Packaged  Brine  Chiller  1 

F-  Control  Air  Supply  1 

K.  Air  Handling  -  Launcher  1 

L.  Launch  Tube  Heater  System  i 

LCF(SRCC)  Emergency 

G.  Emergency  Air  Handling  1 

H.  Emergency  Chilled  Water  1 

J.  Emergency  Air  Pur'if'' cation  1 

LCF(LCC)  Emergency 

G.  Emergency  Air  Handling  1 

H,  Emergency  Chilled  Water  l 

J  Emergency  Air  Purification  i 

LF*  Emergency 

M.  Emergency  Air  -  Launcher  1 
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III.  DISCUSSION 


In  the  two  previous  studies  of  component  failure  rate  data  and  their 
system  summations  which  have  been  performed,  the  differences  indicated 
in  MTBF  for  the  environmental  control  systems  were  highly  significant, 
and  consequently  an  independent  evaluation  was  considered  mandatory. 

This  section  of  the  report,  then,  will  cover  STL  evaluation  of  failure 
data  and  its  use  of  References  1  and  2.  The  final  part  of  the  discussion 
will  present  the  STL  evaluation  position  on  the  environmental  control 
systems  and  the  basis  for  independent  prediction  of  MTBF  of  major  sub¬ 
systems. 

Members  of  the  STL  Mechanics  Division  Reliability  Staff,  who  are 
supporting  the  Minuteman  Environmental  Controls  Project  Office,  reviewed 
Reference  1  and  the  pertinent  backup  data  utilized  by  AAF,  at  St.  Louis, 
Missouri.  The  objectives  of  this  evaluation  were  threefold: 

a)  To  ascertain  if  AAF  backup  data  were  valid  and 
collected  objectively  from  the  respective  system 
component  industry. 

b)  To  determine  if  derating  and  application  factors 
used  by  AAF  were  valid  and  applied  realistically. 

c)  To  impartially  evaluate  the  reliability  failure  rate 
data  section  of  Reference  2.  which  in  turn  is  a  review 
of  Reference  1. 

EVALUATION  OF  REPORTS 
Evaluation  of  Reports  by  AAF 

Failure  Data.  WVh  respect  to  failure  data,  it  was  established  that  if  the 
component  failure  rate  backup  data  gathered  by  AAF  from  throughout  the 
mdu.Jtry  upon  examination  W'ere  found  to  be  valid,  then  these  failure  rates 
would  be  acceptable  to  STL  and  used  m  this  report.  STL  consider es  that 
for  the  most  part  the  failure  rate  backup  data  which  were  reviewed  were 
gathered  and  analyzed  objectively  by  AAF.  Inasmuch  as  approximately 
80  percent  of  the  component  failure  rates  significantly  affect  the  final 
MTBF*s,  all  of  these  failure  rates  were  checked  and  the  remaining  items 
were  spot- checked  for  validity. 
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There  are  several  instances  where  AAF  for  various  reasons  does 
not  have  backup  data  for  the  published  failure  rates*  These  failure  rates 
are  identified  as  "AAF  estimates"  and  include  such  parts  as  electrical 
connectors,  cablings,  ducts,  and  shock  attenuators*  Since  no  background 
is  given  for  the  estimates  in  these  cases,  evaluation  of  the  data  is  neces¬ 
sary  on  the  basis  of  other  sources  available  to  STL,  Some  of  these  part 
estimates  made  by  AAF  appear  quite  optimistic. 

Another  criticism  of  the  AAF  data  concerns  the  failure  rate  estimates 
for  miscellaneous  equipment.  Failure  data  were  often  obtained  for  unspec¬ 
ified  numbers,  sizes,  or  lengths  of  ducts,  piping  connections,  etc.  Unless 
failure  rate  is  specified  as  per  "unit"  and  the  number  of  units  given,  the 
resultant  estimate  is  quite  variable  and  can  lead  to  large  /ariations  in  fail¬ 
ure  rate  estimations. 

An  overall  comparison  of  "static"  and  "dynamic"  component  failure 
rates  in  the  AAF  report  at  first  glance  indicates  some  apparent  inconsis¬ 
tencies.  For  example,  a  component  that  is  stationary  or  nonoperating 
would  generally  be  expected  to  have  a  lower  failure  rate  than  an  operating 
or  moving  component.  It  may  even  be  expected  that  if  all  components  were 
bsted  in  order  of  increasing  failure  rates,  all  static  components  would  be 
at  the  beginning  of  the  list.  However,  this  is  not  the  case.  Use  require¬ 
ments  do  not  allow  an  absolute  list.  For  example,  the  number  of  oper¬ 
ating  cycles  is  an  important  factor.  A  complex  solenoid  valve  which  may 
operate  once  at  system  start  would  have  a  lower  failure  rate  than  a  solenoid 
valve  which  may  be  constantly  cycling,  or  difference  m  failure  rates  may 
be  due  to  variation  in  physical  location  of  comparable  components.  Fail¬ 
ure  rates  of  many  operating  components  are  very  low.  The  few  cases  in 
♦he  AAF  report  which  appear  inconsistent  do  not  constitute  significant 
error. 

It  may  be  noted  that  AAF  has,  in  St.  Louis,  separate  files  for  cor¬ 
respondence  collected  during  the  past  year  and  a  half  from  the  many  manu  ¬ 
facturers  of  components  which  are  utilized  in  the  control  systems.  From 
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this  compilation  they  have  extracted  the  major  portion  of  their  published 
failure  rates.  In  short,  a  considerable  effort  has  been  made,  and  it  is 
considered  that  generally  the  basic  failure  rate  backup  data  collected  by 
AAF  are  as  good  as  was  possible  to  obtain  under  existing  industrial  con¬ 
ditions.  Consequently,  the  majority  of  the  failure  rates  published  in 
Reference  1  have  been  at  least  basically  utilized  in  the  STL  report  with¬ 
out  major  modification,  except  where  notations  indicate  otherwise. 

Modifying  Factors.  The  component  derating  or  application  factors  utilized 
by  AAF  fall  into  the  general  categories  of  operational  probability  use,  sys¬ 
tem  use  or  location,  and  design  load  derating.  Most  of  the  data  supplied 
by  various  manufacturers  to  AAF  were  submitted  as  basic  data;  i.  e.  , 
a  report  of  hours  of  use  and  number  of  failures.  In  general,  no  "use”  or 
other  multiplying  or  derating  factors  were  supplied,  so  that  in  estimating 
failure  rates  for  the  Wing  I  system,  AAF  used  those  factors  they  con¬ 
sidered  applicable  to  the  basic  submitted  data.  The  factor  most  often 
applied  by  AAF  is  an  "operational  use"  f^.ctor  to  account  for  anticipated 
less- frequent  operation  of  the  equipment  for  the  particular  Minuteman 
environmental  system.  In  most  instances,  this  is  a  direct  ratio  of  oper¬ 
ational  times.  For  the  most  part,  these  factors  applied  by  AAF  are 
realistic  and  approximate  STL  system  use  predictions.  In  a  few  instances, 
however,  a  derating  or  application  factor  estimated  by  AAF  appeared 
unrealistic  and  was  changed  in  the  STL  evaluation. 

In  some  cases  the  manufacturer's  failure  rate  data  were  submitted 
as  an  "observed  operating  time"  or  as  "cycles,"  with  no  failures  appar¬ 
ently  having  occurred.  AAF  applied  a  no- failure  "equal  probability  ‘  fac¬ 
tor  of  0,  7  MTBF  to  the  total  accumulated  time  or  number  of  cycles  to 
obtain  an  estimate  of  the  MTBF.  This  is  considered  to  be  a  valid  sta¬ 
tistical  factor. 

Unfortunately,  several  drawbacks  to  complete  evaluation  of  AAF  use 
of  derating  factors  are  extant.  For  one  thing,  the  environmental  conditions 
for  each  piece  of  equipment  must  be  known  in  order  to  properly  evaluate 
application  factors  which  should  be  applied  in  Reference  1.  These  con¬ 
ditions  are  not  indicated  in  Reference  1,  nor  is  there  documentary  evidence 
that  AAF  actually  often  took  them  into  consideration.  Where  the  AAF  fail¬ 
ure  data  are  given  simply  as  an  "AAF  estimate,"  no  evaluation  of  the 
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background  or  application  factor  modifying  influence  can  be  made.  In  these 
cases  informal  discussion  with  AAF  reliability  personnel  was  the  only  basis 
for  either  agreeing  or  disagreeing  with  both  the  basic  failure  rate  and  any 
influencing  application  factors.  In  addition,  very  little  load  or  stress  or 
design  margin  information  is  evident.  Where  this  information  was  given, 
an  evaluation  was  made  by  STL,  and  in  most  cases  the  data  were  sound,  but 
in  general  there  seems  to  be  little  of  this  information. 

One  area  completely  ignored  in  Reference  1  is  a  factor  which  may  be 
considered  in  the  form  of  a  multiplying  factor  greater  than  one,  which  is 
required  to  take  into  account  nonreporting  of  failures  in  the  basic  data. 

This  is  of  prime  importance  in  the  final  determination  of  failure  rates.  A 
follow-on  to  this  consideration  is  an  evaluation  of  the  breakdown  of  the 
reported  failures  into  pertinent  and  nonpertinent  failures.  Both  concepts 
are  given  additional  consideration  later  in  this  report. 

Overall,  the  multiplying  or  application  factors  utilized  by  AAF  repre¬ 
sent  a  fair  use.  However,  some  disagreements  with  the  AAF  factors  exist, 
including,  for  example,  the  manual  water  valve  (Subsystem  B),  where  the 
STL  modifying  factor  is  1.00,  versus  0.50  in  Reference  1;  electric  motors, 
manufactured  by  Reliance  Electric  Motor  Company,  had  failure  rates  fac¬ 
tored  by  0.50  by  STL,  versus  1.00  by  Reference  1;  and  centrifugal  pumps 
with  special  seals  (Subsystem  B)  were  assigned  an  application  factor  by 
STL  of  0.10  of  the  Reference  1  value.  By  and  large,  though,  the  AAF  values 
seem  representative  of  good  engineering  judgment  toward  adaptation  of 
known  component  failure  rates  to  particular  system  time  use. 

Evaluation  of  Report  by  Holladay  and  Westcott 

There  is  a  vast  difference  in  the  failure  rates  of  identical  components 
listed  by  Reference  1  and  those  of  Reference  2.  While  there  normally  would 
be  some  disparities  in  failure  definition,  etc.,  many  of  the  differences  indi¬ 
cated  here  are  extreme.  This  is  so,  even  though  the  same  analytical  me¬ 
thods,  failure  rate  backup  data,  and  known  component  generic  failure  rate 
data  were  supposedly  available  to  each.  As  the  backup  data  and  analytical 
methods  employed  by  AAF,  Reference  1,  are  reviewed  and  compared  gen¬ 
erally  with  those  of  Holladay  and  Westcott,  Reference  2,  several  charac¬ 
teristics  of  both  presentations  become  increasingly  evident. 
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a)  The  tabulated  AAF  failure  rates  are  frequently  very 
low^much  lower  than  those  tabulated  in  the  reliability 
section  of  the  Holladay  and  Westcott  report,  in  which 
the  failure  rates  are  based  almost  entirely  upon  pub¬ 
lished  component  generic  failure  rates* 

b)  The  AAF  failure  numbers  are  based  mainly  upon 
apparently  valid  subcontractor  or  component  manu¬ 
facturer  failure  data*  Where  no  manufacturer  fail¬ 
ure  data  exists,  the  AAF  estimate  is  reasonable  in 
most  instances,  very  low  in  others* 

c)  Reasonable  system  application  factors  or  derating 
techniques  were  employed  extensively  by  AAF.  This 
type  of  application  or  multiplying  derating  factor  was 
not  used  in  the  reliability  section  calculations  of  the 
Holladay  and  Westcott  report* 

A  close  check  of  the  failure  rates  used  in  Reference  Z  reveals  that 
the  mean  value  given  in  a  reliability  analysis  by  AVCO  Corporation, 
Reference  3,  for  generic  failure  rates  was  usually  used*  While  the  use 
of  the  generic  type  of  number  is  acceptable  for  estimating  or  for  prelim¬ 
inary  reliability  evaluation,  it  exhibits  several  important  shortcomings: 

a)  .  No  use  ie .made  of  the  failure  data  from  the  manu¬ 

facturer  or  the  specific  .component*  Uniqueness  is 
bypassed. 

b)  Consideration  of  application  of  a  component  in  a 
particular  system  is  excluded* 

c)  Consideration  of  failure  rate  modifiers  for  location 
in  a  system  is  excluded* 

d)  Consideration  of  changing  or  of  different  environment 
operating  conditions  is  excluded. 

e)  Design  or  loading  margins  are  not  considered* 

i)  No  allowance  is  made  for  changed  values  for  com¬ 
ponents  due  to  updating  state-of-the-art  designs* 

The  STL  Reliability  Staff  regards  the  use  of  individual,  demonstrated 
component  failure  rate  data  determined  by  the  component  manufacturer  to 
be  superior  in  accuracy  to  average  or  mean  generic  rates  when  applied  to 
a  deUiled  system  operation.  For  example,  power  dampers,  which  are 
simply  shaft-mounted  flappers  supported  in  a  duct,  are  listed  by  the 
Holladay  and  Westcott  report  under  "Structures”  with  a  mean  failure  value 
of  1*  00/10^  hours*  The  AAF  value  based  upon  field  use  of  485  imits  over 
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a  4-year  period  ie  0.  137/10^  hoursi  roughly  a  difference  of  one  magnitude* 
The  damper  operator  which  ie  listed  by  Holladay  and  Westcott  as  an  "electric 
motor"  with  mean  failure  rate  of  0.  300  is  not  an  electric  motort  but  an  air 
cylinder  with  a  failure  rate  value  determined  by  the  manufacturer  to  be 
0,  00045*  The  Holladay  and  Westcott  report  lists  the  failure  rates  for  all 
electric  motors,  regardless  of  size,  rating,  type,  or  use,  as  0«  30, 
whereas  AAF  uses  several  values,  depending  upon  the  type  of  motor, 
ranging  up  to  8,  90.  The  flow  controller  listed  by  AAF  with  a  failure  rate 
of  0.  00055  is  listed  by  Holladay  and  Wescott  under  general  flow  and  pres¬ 
sure  regulators  with  a  2.  140  mean  failure  rate.  The  foregoing  figures  do 
not  include  application  or  multiplying  factors  and  are,  therefore,  com¬ 
parable.  These  are  only  a  few  examples  of  the  listed  failure  rate  differ¬ 
ences  which  account,  in  part,  for  ultimate  MTBF  estimate  differences. 

In  addition  to  the  limitations  imposed  by  the  use  of  generic  failure 
rates  as  indicated  above,  other  shortcomings  with  Reference  2  are  evident. 
There  is  little  indication  that  an  attempt  to  check  out  or  validate  the  AAF 
backup  data  was  made.  Component  manufacturer's  failure  data  were 
apparently  considered  inferior  to  generic  failure  data  even  where  many 
hours  of  practical  operation  of  a  component  or  much  test  time  was  in 
evidence.  A  check  made  with  the  initiator  of  Reference  1  indicated  that 
no  contact  was  made  with  them  to  verify  failure  rates  of  equipments  which 
they  manufacture  or  for  which  they  are  responsible.  In  addition,  the 
writers  of  Reference  2  are  quite  critical  of  methods  and  procedures  util¬ 
ized  in  Reference  1  without  themselves  using  methods  and  data  above 
question.  In  short,  the  evalxiation  made  in  Reference  2  severely  criticizes 
the  Reference  1  report  without  giving  a  detailed  examination  of  the  methods 
and  data  used  in  Reference  1. 

On  the.  other  hand,  it  is  recognised  that  use  of  component  manu¬ 
facturer's  data  alone  and  without,  regard  for  established  generic  failure 
rates  may  be  undesirable.  The  position  taken  by  the  STL  reviewers 
throughout  the  evaluation  was  to  utilize  the  available  component  manu¬ 
facturer's  data  that  was  considered  well  founded  and  documented  and  rely 
on  generic  or  similar  component  general  failure  rates  only  when  necessary. 
For  these  reasons,  closer  agreement  will  be  noted  with  Reference  1  fail¬ 
ure  rate  totals  and  MTBF's,  than  with  those  of  Reference  2. 
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STL,  EVALUATION  POSITION 


After  review  of  the  failure  data  presented  by  AAF  and  evaluation  of 
the  report  by  Holladay  and  Westcott,  modifying  and  application  factors 
were  applied  to  the  basic  failure  information*  It  was  concluded  that 
while  many  of  the  criticisms  made  in  Reference  2  were  valid,  the  final 
failure  data  values  were  not  as  applicable  to  valid  MTBF  determinations 
as  those  given  in  Reference  L 

This  part  of  the  report  presents  the  STL  prediction  of  MTBF  versus 
the  required  MTBF  for  the  three  main  environmental  subsystems:: 
LCF(SRCC)  Normal,  LCF(LCC)  Normal,  and  LF  Normal. 

The  fundamental  reliability  structure  of  the  systems  as  depicted  in 
block  diagrams  of  Reference  1  and  found  applicable  to  Reference  2  was 
closely  scrutinized.  The  minor  subsystems  are  composed  in  such  a  way 
that  the  reliability  structure  of  each  minor  subsystem  and  of  each  major 
subsystem  as  a  combination  of  these  minor  subsystems  is  series  in  nature^ 
Failure  of  any  component  results  in  failure  of  a  minor  subsystem,  and 
failure  of  any  minor  subsystem  results  in  a  major  subsystem  failure.  The 
more  common  failure  distribution  functions  are  the  exponential,  binomial, 
normal,  gamma,  and  WeibulL  The  exponential  is  a  special  case  of  the 
gamma  and  Weibull  and  has  been  shown  to  give  a  good  reliability  esti¬ 
mate  of  grouped  electronics  and  electromechanical  parts  after  burn-in 
period  and  before  wear  out.  This  is  during  the  random  failure  period 
when  the  probability  of  failure  is  constant.  Following  the  reasonable 

assumption  that  the  reliability  of  these  mechanical  and  electromechanical 

*  X.T 

components  follows  the  exponential  law  of  reliability,  R  =  e  ,  and  that 
the  reliability  of  the  entire  system  or  subsystem  is  the  product  of  the 
reliabilities  of  its  parts,  then  by  the  laws  of  exponents,  the  failure  rate  of 
the  system  is  equal  to  the  sum  of  failure  rates  of  its  total  st  boy  sterns. 

This  concept  is  represented  by  the  following  (where  k  represents  failure 
rate  of  minor  subsystems); 

Reliability  of  system  =  R^  =  Rj  x  R^  x  R^  •  •  R^ 

where 

Rj^  =  reliability  of  subsystem  1, 

R^  =  reliability  of  subsystem  2,  etc. 
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However,  a  summary  review  of  major  and  minor  subsystem  oper¬ 
ation  by  STL  to  ascertain  the  validity  of  the  series  relationship  concept 
resulted  in  the  discovery  of  questionable  areas  involving  the  alarm  systems 
and  the  emergency  water  storage  subsystem  of  the  LCF-type  facility. 

Certain  subsystems  are  equipped  with  a  group  of  components  which 
will  function  to  warn  the  Control  Center  of  malfunctions  within  that  system. 
Generally  there  is  an  allowable  time  in  which  the  malfunction  can  be  cor¬ 
rected  while  the  system  continues  operating.  The  question  as  to  the  valid¬ 
ity  of  including  these  alarm  components  in  series  with  the  system  function¬ 
ing  components  has  been  raised,  since  both  References  1  and  2  have  so 
included  them.  However,  it  must  be  pointed  out  that  the  alarm  components 
do  not  themselves  cause  a  system  shutdown.  Their  importance,  therefore, 
in  regard  to  criticality  of  failure  is  much  less  than  a  failure  of  a  series- 
involved  functioning  component.  The  problem  then  is  how  to  include  alarm 
system  component  failure  in  the  reliability  calculation  of  system  MTBF, 

If,  as  in  normal  reliability  methods  practice,  the  alarm  system  is  included 
as  a  parallel  function  to  the  subsystem  it  protects,  then  the  only  complete 
(critical)  failure  would  be  the  simultaneous  failure  of  both  the  alarm  sys¬ 
tem  and  its  protected  subsystem.  For  example,  subsystem  L  of  the  Launch 
Tube  Heater  System  is  protected  by  an  alarm  system  which  serves  to  notify 
the  Control  Center  of  an  unacceptable  temperature  level  possibly  resulting 
in  a  major  system  and  even  a  Weapon  System  operational  failure.  In  the 
protected  subsystem  a?  illustrated  below,  we  note  very  little  system 
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reliability  exxhancement  from  the  alarm  system  at  low  or  initial  system 
operating  times.  If  we  were  to  consider  no  system  inspection  or  main¬ 
tenance  over  a  period  of  as  long  as  3  years^  we  could  calculate  a  system 
reliability  increase  at  the  end  of  this  period  of  nearly  13  percent  over  a 
fvinctioning  system  without  alarm  protection.  This  increase^  while 
important  to  system  function#  becomes  much  less  significant  from  a 
realibility  standpoint,  however,  when  we  consider  the  more  probable 
informal  maintenance- inspection  functions  within  90 -day  periods.  As 
noted  in  the  sample#  a  system  reliability  increase  of  approximately  one 
percent  may  be  expected  in  an  alarm-protected  system  over  a  nonpro¬ 
tected  system  for  a  3-month  operation#  provided  the  MTBF  equivalents 
noted  in  Exhibit  II#  STL-April  colvimn#  are  used. 

In  summation#  the  following  observations  concerning  alarm  systems 
in  our  application  maybe  made; 

a)  Alarm  system  failure  rates  are  usually  very  low#  in 
our  example  1/4000  the  protected  system  failure  rate. 

b)  Alarm  systems  cannot  be  assigned  critical  failure 
importance  equivalent  to  their  protected  functioning 
system. 

c)  Alarm  system  failure  rates  should  not  be  serially 
added  to  parent  system  failure  rates  for  overall  sys¬ 
tem  reliability  calculations. 

d)  Value  of  alarm  systems  increases  as  functional  sys¬ 
tem  operating  time  increases. 

In  consideration  of  the  alarm  discussion  and  the  improbability  of  the 
necessity  for  lavinch  during  any  short  time  after  a  correct  alarm  is  given# 
during  which  system  correction  will  be  effected#  alarm  system  failure 
rates  in  subsystems  A#  K#  and  L  are  eliminated  in  MTBF  calculations. 

The  following  block  diagram  and  equations  summarize  the  contri¬ 
bution  of  the  alarm  system  to  subsystem  L  of  the  LF.  This  may  be  con- 
sidered  typical  of  the  other  alarm  systems. 
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Reliability  Block  Diagram; 
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Equation — Basic: 

-XT 

R  =  e  R  =  Reliability  (system  or  component) 

X  =  Failure  rate  (system  or  component) 

T  =  Time  of  operation 

(system  or  component) 

Equations — Specific  Use; 

R^2  ”  ^  ^  ^2^A  ^A2  “  Probability  of  success  (reliability) 

of  the  parallel  part  of  system 

R^  =  Alarm  system  reliability 

R^  =  Reliability  of  protected  subsystem  L 


Q^»  =  Failure  probability  of  alarm  and 

protected  systems  =  1  -  R^,  1  -  R^ 


R  =  R,  X  R 
s  1  A2 


Rj  =  Reliability  of  remainder  of 
Launch  Facility 

R^  =  Reliability  of  Launch  Facility 


R  =  e 
s 


■X,T  j  -X,  T  -X.  T  -X  .  T 
e  e  ^  +  e  ^ 


^1" 

e 


1  -  e 


-X^TA  -X-T 
+  e 


1  -  e 


-{Xj+\^)T  -(\i+X.2)T  -(X.j+X.2+)^  )T 

R  =  e  +  e  -  e 

s 


(1) 
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If  an  alarm  system  is  not  included: 


R  =  e 

8 


U) 


If  an  alarm  system  is  considered  a  series  element: 


-XiT  -X^T  -X^T  -(X,+X  +X.)T 

R  =  e  .  e  .  e  =  e 

8 


(3) 


Relative  System  Reliability: 
using. 


X^  =  0.00127/10®  hours 
=  34.712/10^  hours 
X^  =  4.809/ 10^  hours 


For^  -  1  hour: 


R  =  e 
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+  e  -  e 
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R  ^“(0.0000347)  ^  ^-(0.0000395)  ^-(0.00003952) 


R  r  0.9999653 
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R  3  e 
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For  T  -  3  Months: 


„  _  -(0.0000347)2190,  -(0.0000395)2190  -(0.00003952)2190 

“  c  »  c  •*  c 

®  (7) 

R  =  0.92661 
8 

.  ^-(0.00003952)2190  ^ 

s 

R  =  0.91709 
8 

^  ^  ^-(0.000039522)2190 

R  =  0.91708 
s 


As  noted,  the  example  system  diagrammed  shows  approximately  a  one 
percent  reliability  increase  at  the  end  of  a  90- day  period  over  the  same 
svstem  without  alarm  protection  or  a  system  which  considers  alarms  of 
equal  importance  to  functioning  system  components. 

The  normal  operating  emergency  water  storage,  designated  sub¬ 
system  D,  falls  into  a  different  type  of  questionable  area.  In  normal 
operation  of  the  LCF  installation  this  subsystem  merely  circulates  water 
through  the  storage  system,  accepting  a  small  amount  of  rejected  heat 
at  a  brine -water  heat  exchanger.  Circulation  is  provided  mainly  to  main¬ 
tain  a  minimal  constant  tank  temperature.  The  small  amount  of  heat 
pLckf  d  up  IS  rejticted  from  the  air -handling  and  brine  chiller  subsystem 
equipment  and,  in  relation  to  their  normally  large  heat  loads,  is  incon¬ 
sequential  to  satisfactory  operation  of  those  systems.  In  considering 
failures  of  this  system  and  their  relative  importance  to  successful  facility 
operation,  it  may  be  noted  that  the  only  failure  which  could  possible  have 
any  effect  on  parent  air-handling  and  brine  chiller  system  operation  is 
failure  at  the  heat  exchanger.  The  probability  of  this  occurrence  is  so 
slight  as  to  be  inconsequential  to  uur  calculations.  Thus,  although  this 
IS  a  normal  operating  system,  its  function  during  normal  operation  is  not 
essential  to  LCF  operation  and  its  failure  is  not  critical  to  LCF  operation 
continuance.  Therefore,  its  failure  rate  should  not  be  contributory  to  the 
normal  subsystems  failures  in  determining  critical  MTBF  predictions. 

The  LCF(SRCC)  and  LCF(LCC)  normal  subsystems  should  be  redefined  to 
include  the  following  minor  essential  subsystems  for  MTBF  calculations* 
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Air  Handing-Support  Building 
Packaged  Brine  Chiller 
Air  Handling 
Exhaust  Air  System 
Control  Air  Supply 

The  difference,  as  indicated,  is  in  the  elimination  of  subsystem  D,  normal 
operating  emergency  water  storage,  from  the  tabulation. 

Figure  4  is  a  schematic  operational  diagram  of  the  environmental 
control  system  of  the  Launch  Control  Facility,  type  LCC.  The  method  of 
reduction  of  this  system  to  its  individual  reliability  failure  rate  components 
is  typical  of  the  method  used  for  the  other  major  subsystems,  LF  and  LCF 
(SRCC).  The  control  systems  are  reduced  to  their  major  operational  blocks 
as  shown  in  Figure  5.  The  operational  blocks  reduced  in  Figure  6  to  sub¬ 
system  reliability  blocks  indicate  a  series  relationship  among  the  sub¬ 
systems,  in  that  if  any  one  of  the  subsystems  fails,  the  complete  LCF 
function  fails.  The  water  storage  tank  subsystem  does  not  appear  in  this 
diagram  for  reasons  already  noted,  although  it  does  appear  in  the  oper¬ 
ational  diagram  (Figure  5)  as  a  definite  operating  function.  Each  of  the 
minor  subsystem  components  has  been  arranged  as  indicated  in  Figures 
6a  through  6e,  has  been  assigned  failure  rates  as  tabulated  in  Exhibit  1, 
and  has  been  added  to  obtain  minor  subsystem  totals.  The  symbols  used 
in  Figures J?a  through  6e  are  detailed  in  Exhibit  I.  Each  of  the  five  minor 
subsystem  failure  rate  totals  has  been  added  to  obtain  the  predicted  LCF 
totals  and  the  resulting  MTBF  shown  at  the  bottom  of  Figure  6. 
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The  difference*  as  indicated*  is  in  the  elimination  of  subsystem  D*  normal 
operating  emergency  water  storage*  from  the  tabulation. 

Figure  4  is  a  schematic  operational  diagram  of  the  environmental 
control  system  of  the  Launch  Control  Facility*  type  LCC.  The  method  of 
reduction  of  this  system  to  its  individual  reliability  failure  rate  components 
is  typical  of  the  method  used  for  the  other  major  subsystems*  LF  and  LCF 
(SRCC).  The  control  systems  are  reduced  to  their  major  operational  blocks 
as  shown  in  Figure  5.  The  operational  blocks  reduced  in  Figure  6  to  sub¬ 
system  reliability  blocks  indicate  a  series  relationship  among  the  sub¬ 
systems*  in  that  if  any  one  of  the  subsystems  fails*  the  complete  LCF 
function  fails.  The  water  storage  tank  subsystem  does  not  appear  in  this 
diagram  for  reasons  already  noted*  although  it  does  appear  in  the  oper¬ 
ational  diagram  (Figure  5)  as  a  definite  operating  function.  Each  of  the 
minor  subsystem  components  has  been  arranged  as  indicated  in  Figures 
6a  through  6e*  has  been  assigned  failure  rates  as  tabulated  in  Exhibit  I* 
and  has  been  added  to  obtain  minor  subsystem  totals.  The  symbols  used 
in  Figures  6a  through  6e  are  detailed  in  Exhibit  I.  Each  of  the  five  minor 
subsystem  failure  rate  totals  has  been  added  to  obtain  the  predicted  LCF 
totals  and  the  resulting  MTBF  shown  at  the  bottom  of  Figure  6. 
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Figure  5,  LCF  Environmental  Control  System  Operational  Block  Diagram 
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Figure  6.  IjCF(LCC)  Block  Diagram 
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Figure  6a.  Subsystem  A  Block  Diagram 


Figure  6b«  Subsystem  B  Block  Diagram 
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Subsystem  C  Block  Diagram 
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Figure  6e,  Subsystem  F  Block  Diagram 


Component  Failure  Rate  Sximnxary 

Exhibit  I  presents  a  sximmary  by  component  of  the  failure  rates 
quoted  in  the  AAF  report.  Reference  1,  corrected  to  April  1962;  data  com¬ 
piled  by  Reference  2;  and  data  determined  by  STL  based  upon  both  the 
Reference  1  report  and  corrected  April  data.  Individual  sheets  are  com¬ 
piled  by  subsystem  letter  designation  and  title  and  include  only  the  com¬ 
ponents  required  for  the  particular  subsystem.  Symbols  used  are  those 
devised  by  the  originating  contractor  for  components,  quantities,  and  part 
numbers  as  listed.  The  components  listed  by  Holladay  and  Westcott, 
Reference  2,  are  equivalent  components  as  indicated  in  their  report.  The 
lone  column  subtitled  AAF -April  lists  the  updated  failure  rate  differences 
between  November  1961  and  April  1962  for  AAF  data.  The  final  STL  col¬ 
umns  show  the  STL  evaluation  of  the  AAF  November  and  April  data.  The 
source  and  K  factor  column  refers  to  the  basic  source  for  the  STL  rates 
and  the  use  modification  factor  used  to  produce  the  listed  STL  rate. 

The  Comments  column  reflects  reasons  for  the  STL- predicted  fail¬ 
ure  rates,  comparison  levels,  basic  data  sources,  conflict  with  AAF  or 
Holladay  and  Westcott  failure  data,  and  other  pertinent  information.  No 
attempt  is  made  in  these  tabulations  to  determine  the  system  component 
requirements,  correct  the  nomenclature,  or  arbitrarily  update  failure 
rates.  The  STL- listed  failure  rates  are  the  best  predictions  of  unsuccess¬ 
ful  equipment  operation  based  upon  currently  available  data. 
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SUBSYSTEM  A:  AIR  HANDLING  —  SUPPORT  BmLDING 
FACIUTY:  LCF(SRCCi  NORMAL 
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SUBSYSTEM  A;  AIR  HANDLING— SUPPORT  BUILDING 
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SUBSYSTEM  B:  PACKAGED  BRINE  CHILLER 
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SYSTEM  C  EXHAUST  AIR  SYSTEM 

FACILITY:  LCF(SRCC)  NORMAL.  LCF(LCC)  NORMAL 
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sub:>tstem  E:  exhaust  air  system 

FACIUTT:  IX:F(SRCC)  NORMAL.  LCF(LCC)  NORMAL 
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LCF(LCC)  NORMAL,  LF  NORMAL 
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SUBSYSTEM  G-  EMERGENCY  AIR  HANDLING 

FACILITY:  LCr{LCC)  EMERGENCY,  LCF  {SRCC)  EMERGENCY 


SUBSYSTEM  H:  EMERGENCY 
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SUBSYSTEM  J: 
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SUBSYSTEM  L  LAUNCH  TUBE  HEAlER  i 

facility-  lf  normal 
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EXHIBIT  I 


Subsyatem  Failure  Rate  Summary 

Exhibit  11  ia  a  tabulation  of  the  comparative  MTBF  of  major  sub- 
sy sterna  by  failure  data  summation.  The  major  subayatema  are  subdivided 
into  their  respective  minor  subsystems  according  to  the  plan  presented  in 
References  1  and  2.  The  various  components  making  up  each  of  the  minor 
subsystems  are  tabulated  with  their  failure  rates  in  Exhibit  1;  Exhibit  11 
then  serves  as  a  presentation  of  resultant  MTBF. 

Wing  1  Minuteman  MTBF  requirements  are  14,  000  hours  for  each 
of  the  major  subsystems.  It  will  be  noted  that  the  November  AAF  summary 
shows  an  IjCF(SRCC)  normal  predicted  MTBF  of  slightly  less  (13,440 
hours)  than  the  requirement,  while  both  the  LiCF(L>CC)  normal  and  the  LF 
normal  far  exceed  the  requirement  with  21,  725  and  27,  600  hours  respec¬ 
tively.  These  values  decreased  slightly  at  the  time  of  issuance  of  the 
April  report  by  AAF,  the  reason  given  being  that  Electro- Interference 
Suppression  (E.l.S.)  filter  failure  rates  had  been  updated  and  increased 
from  the  preliminary  November  estimates.  With  the  exception  of  the 
LCF(SRCC)  normal  major  subsystem,  however,  the  MTBF  requirements 
were  apparently  still  exceeded. 

The  MTBF  reported  by  Holladay  and  Westcott  in  Reference  2,  are 
less  optimistic,  as  noted  earlier.  In  fact,  without  the  advance  explana¬ 
tion  in  this  report,  it  would  appear  that  a  very  serious  situation  existed 
due  to  the  2,  000-  and  3,  000-hour  MTBF  predictions  by  Holladay  and 
Westcott.  Contractually,  the  reliability  design  goal  was  stated as^' ...sched¬ 
uled  maintenance  only  once  each  3  years,  with  the  exception  of  air  filters 
....once  every  3  months.’*  The  geographical  dispersion  of  the  launch  sites 
precludes  frequent  maintenance,  and  the  logistics  requirements  to  meet 
3000  hours  MTBF  for  these  systems  would  be  quite  extreme.  Fortunately, 
for  reasons  previously  indicated,  the  Holladay  and  Westcott  estimates  do 
not  appear  to  be  as  close  to  a  valid  prediction  as  the  AAF  estimates. 

STL  evaluated  the  system  component  failure  data,  and  through  reesti- 
mation,  selective  use  of  manufacturer's  data,  and  application  of  derating 
factors  arrived  at  the  failure  rates  tabulated  in  Exhibit  1  and  summarized 
here.  The  STL- November  column  is  a  summary  of  STL-predicted  failure 


data  utilizing  the  systems  and  components  of  Reference  1.  The  STL -April 
column  is  a  reflection  of  equipment  and  failure  data  upgrading  from 
November.  It  will  be  noted  that  the  same  minor  subsystems  are  included 
in  all  the  column  tabulations  up  through  the  STL- April  column.  This  is  for 
comparative  purposes  only,  showing  the  results  of  failure  rate  estimate 
differences  on  the  same  equipment.  The  final  STL  column  is  modified  from 
the  previous  STL  column  by  deletion  of  the  emergency  water  storage  minor 
subsystem  and  by  application  of  the  reporting  efficiency  factor,  both  men¬ 
tioned  earlier  in  this  report. 

The  results  in  terms  of  predicted  MTBF  for  all  the  Exhibit  II  tabula¬ 
tions  are  obvious.  The  LCF(SRCC)  major  subsystem  is  below  the  required 
14,  000  hours.  The  other  major  subsystems  exceed  this  requirement  and, 
n  fact,  approximate  the  higher  MTBF  hours  required  of  Wing  II  subsystems. 
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EXHIBIT  II 


Reporting  Efficiency  Factor 

It  was  noted  that  no  use  has  been  made  of  a  reporting  efficiency 
factor  in  any  of  the  reviewed  reports.  This  is  the  term  applied  when  not 
all  failures  of  equipment  in  operation  or  under  test  are  reported,  resulting 
in  overoptimistic  failure  rate  tabulations.  Failure  to  report  such  failures 
can  be  due  to  a  number  of  reasons,  including  the  seemingly  relative  unim¬ 
portance  of  reporting  minor  malfunctions,  contrast  in  time  between  the 
writing  of  a  failure  report  and  accomplishing  minor  adjustment  or  small 
part  exchange,  lack  of  knowledge  of  importance  of  failure  reporting,  lost 
or  misplaced  records,  possiole  lack  of  time,  etc.  Frequently  a  reporting 
agency  unable  to  pinpoint  a  "pertinent"  failure  among  many  minor  adjust¬ 
ments  required,  ordinary  inept  installation- caused  malfunctions,  storage 
or  transport  hazards,  etc.  The  fact  remains  that,  consistently,  all  fail¬ 
ures  are  not  reported.  Careful  review  of  the  naval  aircraft  failure  report¬ 
ing  system  a  few  years  ago  revealed,  for  example,  that  only  slightly  over 
one -half  of  all  component  (major  or  minor)  failures  were  actually  reported 
from  the  field.  Recognizing  that  the  condition  led  to  highly  optimistic  fail- 
i:re  predictions  and  severely  hampered  accurate  logistics  planning,  among 
other  things,  a  careful  review  of  reporting  sources  was  made.  Thorough 
mdoctrination  of  all  responsible  reporting  personnel  plus  application  of 
s"t?r.ificant  pressure  at  higher  levels  resulted  in  increase  of  the  failure 
reporting  efficiency  to  approximately  85  percent.  The  Minuteman  pre¬ 
dominately  "commercial"  type  of  environmental  control  system  has  a 
reporting  efficiency  factor  almost  impossible  to  calculate  due  in  most  part 
f'c  the  multitude  of  required  reporting  sources.  But  it  must  certainly  be 
80  percent  or  less.  In  order  to  maintain  a  comparative  failure  rate  anal  ^ 
ys3s,  STL.  in  its  preliminary  tabulations  of  Exhibits  I  and  II  assumed  a 
100  percent  reporting  efficiency.  The  final  column  of  Exhibit  II  applies 
the  80  percent  reporting  efficiency  factor  to  component  failure  data  utilized 
?n  the  total  subsystems  failure  summations.  Recognizing  that  this  factor  is 
an  approximation,  STL  nonetheless  submits  the  resulting  figures  of  the 
final  column  of  Exhibit  II  as  the  best  available  prediction  of  MTBF  for  the 
major  subsystems. 
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MTBF — Demonstration  Requirement 

It  has  been  indicated  in  Reference  1>  affirmed  by  Reference  2,  and 
reaffirmed  by  STL  evaluation  that  the  basic  MTBF  requirement  of  14>  000 
hours  for  the  LCF(SRCC)  normal  subsystem  has  not  been  met,  at  least  by 
calculation.  The  predicted  MTBF  for  this  particular  subsystem  was  tab¬ 
ulated  in  Exhibit  II,  and  in  all  cases  calculation  was  based  upon  series 
treatment  of  individual  component  and  subsystem  failure  rates.  Since  the 
reliability  requirement  was  stated  in  terms  of  MTBF  hours,  the  approach 
is  acceptable.  But  determination  of  the  real  MTBF  of  a  system  by  demon¬ 
stration  may  be  quite  different  from  the  value  determined  analytically.  For 
this  reason  a  sequential  demonstration  plan  was  set  up  by  AAF  based  upon 
the  MTBF  requirement  of  14,  000  hours. 

The  sequential  sampling  plan  devised  by  AAF  utilizes  a  practical 
reliability- monitoring  plan  to  accumulate  the  time  required  to  demonstrate 
the  requirement.  It  is  proposed  that  actual  system  operation  time  at  the 
test  installation  base  (Vandenberg  Air  Force  Base)  and  at  the  Wing  I 
(Malmstrom  Air  Force  Base)  installation  site  be  utilized  for  demonstration 
time.  The  sequential  sampling  plan  proposed  is  intended  to  give  a  running 
capability  to  decide  whether  or  not  the  number  of  failures  versus  operation 
^ime  is  continuing  at  an  acceptable  rate.  MTBF  determination  as  such  will 
not  specifically  result  from  the  plan,  but  a  point  estimate  of  the  existmg 
MTBF  is  obtainable  at  any  time  simply  by  dividing  the  total  accumulated 
t  me  by  total  number  of  observed  failures. 

An  examination  of  the  MTBF  requirement,  however,  reveals  that 
complete  definition  of  the  requirement  is  lacking.  A  complete  requirement 
should  include  some  measure  of  confidence  and  should  include  a  sampling 
plan  to  statistically  refer  test,  demonstration,  or  operational  use  results 
back  to  the  requirement.  The  requirement  of  simply  14,  000  hours  MTBF 
allows  a  number  of  interpretations.  Three  such  interpretations  are 

1)  As  the  design  objective 

2)  As  the  lower  90-perccnt  confidence  limit  on  the  operational 
characteristic  (OC)  curve. 

3)  As  the  upper  95-percent  confidence  limit  on  an  OC  curve. 
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In  each  of  the  above  three  cases,  the  implication  of  the  MTBF  desired 
would  be  different*  In  interpretation  1,  the  true  MTBF  being  aimed  for  is 
14,  000  hours.  This  requires  that  a  statistical  sampling  demonstration  pro¬ 
gram  be  developed  which  provides  the  consumer  high  protection  against 
accepting  equipment  whose  estimated  MTBF  is  not  much  less  than  14,  000 
hours;  e.g.,  that  there  is  a  90-percent  assurance  that  the  true  MTBF  is 
greater  than  13,  500.  Interpretation  2  implies  that  the  true,  or  design, 
objective  MTBF  is  considerably  more  than  14,  000  hours  (perhaps  20,  000 
to  25,  000  hours)  for  successful  statistical  demonstration.  Interpretation  3 
(and  this  is  the  interpretation  given  by  the  AAF  Reliability  Demonstration 
Program  Plan)  states  that  if  14,  000  hours  MTBF  is  the  true  MTBF,  then 
there  is  95 -percent  probability  of  the  equipment  passing  the  statistical 
sampling  requirement.  However,  with  the  AAF  demonstration  plan  there 
IS  also  a  50- per  cent  chance  of  the  equipment  successfully  passing  the  re¬ 
quirements  with  a  MTBF  as  low  as  7000  to  8000  hours.  There  is  also  a 
10- percent  probability  of  the  equipment  passing  the  demonstration  plan  with 
a  MTBF  as  low  as  2800  hours.  Thus,  as  seen  from  this  discussion,  the 
implications  regarding  the  true  MTBF  of  the  equipment  can  very  likely 
range  all  the  way  from  less  than  one-half  the  14,  000  hours  to  more  than 
twice  the  14,  000  hours.  The  importance  of  the  incompletely  defined  MTBF 
requirement  noted  above,  together  with  the  possible  results  of  the  sampling 
demonstration  plan,  was  not  appreciated  when  it  was  originally  stated. 
However,  subsequent  and  much  better  requirements,  which  completely  define 
the  acceptable  minimums,  are  contained  in  the  Work  Statement  for  Wings 
ITT  and  IV.  In  these  plans  it  is  stated  that  the  minimum  MTBF  requirement 
shall  be  interpreted  as  the  50-percent  point  on  the  OC  curve  of  the  sequen¬ 
tial  sampling  plan.  The  contractor  is  required  to  submit  the  OC  curve  of 
the  sampling  plan  and  the  charts  for  plotting  failures  versus  data, 

which  shall  include  rejection  and  acceptance  lines  corresponding  to  a  and 
p  equal  to  10-percent.  This  type  of  requirement  describes  the  sampling 
plan  limits  and  defines  the  results  expected  so  that  the  customer  will  have 
no  question  as  to  what  he  is  buying;  this  protects  him  from  accepting  sys¬ 
tems  with  appreciably  less  than  the  desired  reliability. 
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IV,  RECOMMENDATIONS 


The  documents  which  are  the  subject  of  review  of  this  report  are 
dated  November  1961  and  April  and  May  of  1962.  It  is  apparent  that  rec¬ 
ommendations  to  provide  overall  corrections  for  design  upgrading  of 
Wing  I  components  and/or  subsystems  are  not  relevant  at  this  late  date, 
especially  since  usual  techniques  of  redundundancy  application  or  over- 
design  were  not  permitted  in  Wing  I. 

The  basic  requirement  of  14,  000  hours  MTBF  for  each  of  the  major 
subsystems  does  not  appear  extreme,  as  will  be  noted  in  the  summary; 
depending  upon  interpretation  of  the  requirements,  all  subsystems  may 
meet  MTBF  demonstration  requirements.  But  by  probabilistic  assessment, 
the  LCF(SRCC)  normal  system,  at  least,  does  not  meet  the  requirement. 
Ordinarily,  techniques  of  reliability  such  as  component  elimination  or 
reduction,  application  of  redundancy  methods,  or  component  or  system 
upgrading  and  improvement  would  be  employed.  For  reliability  upgrading 
of  this  Wing,  the  Contractor  has  been  told  that  with  the  exception  of  the  air 
compressor,  stricter  quality  control  and  improved  installation  methods 
were  the  only  avenues  open  to  them. 

The  one  component  currently  undergoing  change  and  intended  to  be 
retrofitted  into  Wing  1  is  the  air  compressor.  The  belt  drive  of  the  current 
air  compressor  will  be  replaced  with  a  flexible  shaft,  and  the  failure  rate 
prediction  is  1.40/ 10^  hours  versus  the  2.00/ 10^  now  estimated.  This 
change  alone  will  boost  the  SRCC  MTBF  to  well  over  12,  000  hours. 

Electric  motors  are  among  the  components  with  high  failure  rate 
which  should  be  examined  for  possible  reliability  improvement.  The  impor¬ 
tant  improvement  required  would  be  in  upgrading  of  bearings,  since  bearing 
failure  is  a  prime  failure  mode.  If  failure  rate  of  the  fan  and  pump  motors  alone 
could  be  reduced  to  the  generic  mean  rate  (0.300/ 10^  hours)  the  LCF(SRCC) 
MTBF  prediction  would  increase  to  13,  600  hours.  This  is  the  subject  of 
study  at  the  present  time  for  inclusion  in  future  Wings.  Many  other  ave¬ 
nues  of  investigation  for  increasing  subsystem  and  component  MTBF  are 
currently  being  investigated  for  future  Wing  requirements.  Alternate 
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components  have  been  suggested  in  many  areas.  New  design  models  of 
brine  chiller  and  air  conditioner  with  resulting  system  changes  being 
developed  under  separate  R  and  D  contract  by  AAF  are  expected  to  result 
in  more  than  double  the  current  SRCC  MTBF  hours  predicted. 

The  recommendations  offered  by  STL  at  this  time  include: 

A.  For  Wing  I: 

1)  Accept  the  currently  predicted  STL  MTBF  for  Wing  I 
as  the  best  possible,  utilizing  currently  available 
failure  data  and  prediction  techniques. 

2)  Closely  monitor  all  failure  data  which  will  be  initi¬ 
ated  by  the  Installation  Contractor  and  Air  Force. 

3)  Assure  that  corrective  action  is  initiated  on  a  priority 
basis  where  required. 

4)  Maintain  close  liaison  and  coordination  with  Installation 
and  Quality  Control  personnel  and  checkout  procedures. 

5)  If  necessary,  because  of  severe  decrease  in  MTBF, 
recommend  for  retrofit  into  Wing  1  any  applicable 
change  currently  being  investigated. 

B.  For  Future  Wings: 

1)  Completely  define  the  reliability  requirements  as  to 
MTBF,  including  confidence  factors  and/or  a  sampling 
plan  to  statistically  refer  test,  demonstration,  or 
operational  use  results  back  to  the  requirement. 

2)  Require  compliance  with  existing  military  documents 
(for  example,  MIL- R- 27542),  requesting  submittal  of 
maintenance  analyses,  safety  margin  calculations, 
failure  reporting  system  plan,  feasibility  studies, 
apportionment,  vendor  selection  and  control  program, 
reports  submission,  and  other  normal  reliability 
program  constituents. 

3)  Define  all  reliability  terms  used  in  reports. 

4)  Require  complete  environmental  description  for  all 
systems  as  well  as  normal  operating  periods  and  sur¬ 
vival  periods  as  part  of  the  reliability  report. 

5)  Allow  contractor  scheduled  time  and  freedom  to  prepare 
detailed  component  failure  analyses  by  submitting 
requests  for  proposal  6  months  ahead  of  time. 
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6)  Require  complete  component  description*  and  discourage 
use  of  terms  such  as  "lot,  "  "run,  *'  and  "group,  "  for 
failure  rate  assignments. 

7)  Require  estimation  of  reporting  efficiency  factor  for 
individual  sub  vendors  and  include  this  in  calculations. 

Many  of  the  foregoing  comments  could  be  classed  as  techniques  or 
methods  and  perhaps  need  not  appear  in  written  reliability  requirements. 

But  they  need  to  be  covered  whether  written  or  required  verbally.  Such 
a  thorough  reliability  background  enables  possible  problem  areas  to  be 
easily  discerned,  corrective  action  to  be  more  easily  applied,  and  the 
importance  of  individual  system  components  to  be  easily  defined. 

The  importance  of  reliability  design  freedom  cannot  be  overestimated. 
Little  more  system  MTBF  can  be  gained  without  employing  the  methods  of 
overdesign,  use  of  redundancy,  etc.,  covered  previously. 


V.  SUMMARY 


In  the  areas  of  failure  rate  determination  and  failure  data  collection, 
American  Air  Filter  Company  has  shown  good  effort  in  Reference  1  and 
subsequent  reports.  Existing  industry  problems  with  equipment  failure 
reporting  methods  and  requirements  and  limited  operation  information  on 
new  equipments  preclude  availability  of  good  quality  failure  data.  Data 
estimates,  compared  with  STL  estimates,  are  optimistic  but  not  generally 
extreme.  The  failure  and  safety  analyses  submitted  by  Reference  1  are 
informative  and  acceptable,  and  the  block  diagrams  are  generally  well 
done;.  The  reliability  analysis  structure  utilizing  a  serial  arrangement 
concept  for  all  components  and  subsystems  is  proper  with  two  exceptions, 
the  emergency  water  storage  system  and  the  incorporation  of  the  alarm 
component  failure  rates  into  the  system  estimates. 

Lack  of  system  redundancy,  limited  upgrading  recommendations,  the 
time  limitations  for  gathering  environmental  system  component  information, 
and  minimum  overdesign  evident  in  the  reports  were  generally  caused  by 
limitations  imposed  by  STL,  The  Parsons  Company,  or  the  Air  Force. 

For  example,  the  Wing  I  Real  Property  Installed  Equipment  concept  does 
not  permit  use  of  design  redundancy.  Other  restrictions  to  a  complete 
reliability  program  are  discussed  in  Reference  4  for  Wing  I  environmental 
control  systems  equipment  only. 

The  Reference  2  report  in  the  reliability  area  provides  little 
applicable  constructive  criticism  for  Wing  I.  Many  good  suggestions  for 
upgrading  systems  apparently  would  have  been  implemented  by  AAF  if 
they  had  been  given  the  freedom  or  the  authority  to  do  so.  Obviously,  for 
example,  redundancy  may  have  been  considered  for  those  components 
with,  extremely  high  failu’-e  rates  had  contrary  system  design  limitations 
not  been  imposed.  Occasionally  the  part  failure  information  used  by  AAF 
was  not  of  good  quality  and  was  not  well  applied;  however,  the  approach  of 
Reference  2  was  much  less  satisfactory  in  these  respects.  The  failure 
rates  used  in  this  latter  reference  were  very  general,  part-type  generic 
mean  values  and,  it  is  suspected,  reflect  more  missile  use  than  commercial, 


or  missile  ground  support  systems  use.  Derating  or  application  factors 
were  not  employed  in  Reference  2  for  various  reasons.  In  fact,  it  is 
difficult  to  classify  MTBF  determination  of  Reference  2  as  much  more 
than  a  very  rough  first  estimate. 

The  specification  requirement  contained  in  the  Statement  of  Work 
calls  for  a  minimum  of  14,  000  hours  MTBF  for  each  of  the  three  major 
subsystems.  Disregarding  the  fact  that  the  same  MTBF  is  required  for 
three  subsystems  of  different  complexities,  so  that  in  all  probability  the 
estimated  MTBF*s  will  probably  not  be  identical,  this  report  shows  that 
one  of  the  three  subsystems,  the  LCF(SRCC)  Normal,  does  not  meet  the 
requirement.  The  final  STL  column  of  Exhibit  II  shows  estimated  MTBF 
of  11,  902  hours  for  LCF(SRCC)  Normal,  20,  503  hours  for  LCF{LCC) 
Normal,  and  22,  013  hours  for  LC  Normal.  No  claim  of  compliance  with 
the  requirement  of  14,  000  hours  per  se  is  made  by  Reference  1  for  the 
LCF(SRCC)  Normal.  It  is  expected  that  employment  of  recommendations 
for  upgrading  system  components  along  with  current  and  proposed  ECP*s 
would  raise  the  MTBF  to  an  acceptable  level,  but  change  effectivity  will 
probably  not  be  reflected  back  into  Wing  I  to  any  great  degree. 

It  should  be  realized  that  a  precise  prediction  of  MTBF  is  not  possible, 
because  of  various  factors  which  cannot  be  evaluated  at  this  time.  For 
example,  the  effect  on  component  reliability  of  storage  methods  employed 
is  one  such  factor.  The  effect  of  methods  used  to  transport  and  handle 
equipment  is  unknown.  Since  the  assembled  equipment  is  transferred  to 
an  Installation  Contractor  who  subsequently  adds  racks,  panels,  etc., 
before  turning  the  site  over  to  the  Air  Force,  a  reliability  degradation  can 
be  expected  in  this  area.  Additional  problems  may  arise  from  the  revamp- 
ing  of  the  silo  entrance  in  Project  ”  Button  Up.”  There  is  good  probability 
that  cement  dust  and  other  contamination  will  not  be  completely  eliminated 
before  Air  Force  acquisition  of  the  facility.  This,  of  course,  may  result 
in  an  initially  high  number  of  failure  reports.  Comparison  of  predicted 
MTBF  values  at  this  time  with  the  actual  MTBF  hours  resulting  from 
extended  field  operation  at  some  later  date  will  be  made. 
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It  appears  obvious  that  the  stringent  limitations  of  system  design 
imposed  upon  this  Wing  due  to  costs,  scheduling,  or  other  reasons  must 
be  lifted  on  future  wings  if  the  increased  MTBF  requirements  are  to  be 
met.  Very  little  actual  reliability  increase  can  be  expected  solely  from 
methods  of  better  quality  control  or  installation  processes.  These  are,  in 
fact,  only  comparative  processes.  In  the  future,  Wing  Associate 
Contractors  must  be  permitted  greater  freedom  in  the  area  of  component 
and  system  overdesign  allowances,  use  of  redundancy  when  necessary,  and 
greater  space  or  weight  allowances  where  possible.  From  the  user's 
standpoint,  these  same  contractors  must  have  impressed  upon  them  the 
value  of  the  use  of  "best  quality"  existing  components,  continued  search 
for  new  and  better  equipment,  the  importance  of  keeping  abreast  of  the 
current  state- of- the > art,  the  absolute  value  of  the  use  of  simple  com¬ 
ponents,  and  the  elimination  of  unnecessary  equipment  or  functions. 

With  proper  use  of  these  techniques  and  procedures  aided  by  consistent 
and  complete  failure  reporting  and  equipment  use  feedback,  there  appears 
to  be  no  reason  why  any  of  the  three  major  Normal  Environmental  Control 
Subsystems  cannot  meet  later  Wing  MTBF  requirements  of  20,  000-30,  000 
hours. 
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